This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
We are using a ReadyNAS Pro 6 in our company. But today it suddenly decided to go haywire.
It flooded our network with more than 60.000 Sessions, all to chinese ip addresses. Does anyone here experienced a similar problem? We had the same problem a year ago with another Netgear NAS but solved it by just denying internet access for this specific NAS.
I tried to analyse the problem we experienced today:
Looking at the firewall logfiles it started up to 10 unique connections a second to only one ip address (43.227.183.37) which eventually exhausted the NAT port on our firewall, disconnecting our remote offices and vpn users.
We tried to check the logfiles from the NAS itself but there is no reference about massive network-flooding actions.
Does anyone have any idea what the hell happened there? Keep in mind that the connections were started by the NAS itself which is especially fascinating.
The internet access was cut off around 4 hours ago via firewall policy.
Resetting the device is currently not an option because we first have to move something around 3TB of data.
But I just got new intel from my colleague:
It was not another NAS that made the same problems a year ago, it was this very NAS. And it was resetted a year ago. It's almost like a haunted device.
We deactivated and deleted the SIAB app and enabled internet access (for test purposes).
But again the NAS started what almost looks like a DDOS attack against the same IP and created about 100 mbps outbound traffic.
After rebooting the NAS it now starts around 1000 sessions to a chinese DNS server (114.114.114.114), the Google 8.8.8.8 and the Google 8.8.4.4 DNS server but NOT to the IP address mentioned in my first post so disabling and deleting the app solved about 90% of our problem 🙂
After disabling the internet access again and ending the sessions in the firewall it went back to normal.
Next step would be the factory reset which we will try to do maybe as early as this week.
I will 100% agree with @StephenB so it is good that you are going to factory reset it.
Make sure your passwords are strong. I am talking like 20 digits randomly generated passwords. Don't open the NAS to the Internet (port forwarding) unless it is absolutely crucial to the workflow. If people need to access the NAS CLI then use Putty and SSH. I would also advise to turn off HTTP admin so the admin page can only be accessed via HTTPS.
